Merge pull request #255 from DemiMarie-parity/smuggling

Add hyper request smuggling vulnerability
2026-01-05 19:20:34 +01:00 · 2020-03-31 10:05:32 -07:00
parent 81193d1dba 91eed85346
commit 66112b38a2
1 changed files with 27 additions and 0 deletions
--- a/crates/hyper/RUSTSEC-0000-0000.toml
+++ b/crates/hyper/RUSTSEC-0000-0000.toml
@@ -0,0 +1,27 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper"
+date = "2020-03-19"
+title = "Flaw in hyper allows request smuggling by sending a body in GET requests"
+url = "https://github.com/hyperium/hyper/issues/1925"
+categories = ["format-injection"]
+keywords = ["http", "request-smuggling"]
+
+description = """
+Vulnerable versions of hyper allow GET requests to have bodies, even if there is
+no Transfer-Encoding or Content-Length header.  As per the HTTP 1.1
+specification, such requests do not have bodies, so the body will be interpreted
+as a separate HTTP request.
+
+This allows an attacker who can control the body and method of an HTTP request
+made by hyper to inject a request with headers that would not otherwise be
+allowed, as demonstrated by sending a malformed HTTP request from a Substrate
+runtime.  This allows bypassing CORS restrictions.  In combination with other
+vulnerabilities, such as an exploitable web server listening on loopback, it may
+allow remote code execution.
+
+The flaw was corrected in hyper version 0.12.35.
+"""
+
+[versions]
+patched = [">= 0.12.35"]